Merge remote-tracking branch 'origin/main' into benibenj/handsome-stoat

Author: benibenj

src/package.ts

@@ -2130,9 +2130,10 @@ export async function scanFilesForSecrets(files: IFile[], fileExclusion: FileExc
 	}
 
 	const onDiskFiles: ILocalFile[] = files.filter(file => !isInMemoryFile(file)) as ILocalFile[];
+	const onDiskNoneNodeModulesFiles = onDiskFiles.filter(file => !file.localPath.includes('node_modules'));
 	const inMemoryFiles: IInMemoryFile[] = files.filter(file => isInMemoryFile(file)) as IInMemoryFile[];
 
-	const onDiskResult = await lintFiles(onDiskFiles.map(file => file.localPath), scanForSecrets, scanDotEnv);
+	const onDiskResult = await lintFiles(onDiskNoneNodeModulesFiles.map(file => file.localPath), scanForSecrets, scanDotEnv);
 	const inMemoryResults = await Promise.all(
 		inMemoryFiles.map(file => lintText(typeof file.contents === 'string' ? file.contents : file.contents.toString('utf8'), file.path, scanForSecrets, scanDotEnv))
 	);

src/secretLint.ts

@@ -1,5 +1,6 @@
 import chalk from "chalk";
 import { Convert, Location, Region, Result, Level } from "./typings/secret-lint-types";
+import { log } from "./util";
 
 interface SecretLintEngineResult {
 	ok: boolean;
@@ -28,6 +29,15 @@ const secretsScanningRules = [
 						"/^(?![\\s\\S]*-----BEGIN .*PRIVATE KEY-----[A-Za-z0-9+/=\\r\\n]{50,}-----END .*PRIVATE KEY-----)[\\s\\S]*$/"
 					]
 				}
+			}, {
+				id: "@secretlint/secretlint-rule-npm",
+				options: {
+					allows: [
+						// An npm token has the prefix npm_ followed by 36 Base62 characters (30 random + 6-character checksum), totaling 40 characters.
+						// https://github.com/microsoft/vscode-vsce/issues/1153
+						"/^(?!(?:npm_[0-9A-Za-z]{36})$).+$/"
+					]
+				}
 			}
 		]
 	}
@@ -71,9 +81,16 @@ export async function lintFiles(
 ): Promise<SecretLintResult> {
 	const engine = await getEngine(scanSecrets, scanDotEnv);
 
-	const engineResult = await engine.executeOnFiles({
-		filePathList: filePaths
-	});
+	let engineResult;
+	try {
+		engineResult = await engine.executeOnFiles({
+			filePathList: filePaths
+		});
+	} catch (error) {
+		log.error('Error occurred while scanning secrets (files):', error);
+		process.exit(1);
+	}
+
 	return parseResult(engineResult);
 }
 
@@ -85,10 +102,16 @@ export async function lintText(
 ): Promise<SecretLintResult> {
 	const engine = await getEngine(scanSecrets, scanDotEnv);
 
-	const engineResult = await engine.executeOnContent({
-		content,
-		filePath: fileName
-	});
+	let engineResult;
+	try {
+		engineResult = await engine.executeOnContent({
+			content,
+			filePath: fileName
+		});
+	} catch (error) {
+		log.error('Error occurred while scanning secrets (content):', error);
+		process.exit(1);
+	}
 	return parseResult(engineResult);
 }
 

src/test/fixtures/secrets/noSecret1Ignore

@@ -1,2 +1,3 @@
 **secret**
+**noSecret**
 !noSecret1.ts

src/test/fixtures/secrets/noSecret2Ignore

@@ -1,2 +1,3 @@
 **secret**
+**noSecret**
 !noSecret2.ts

src/test/fixtures/secrets/noSecret3.ts

@@ -0,0 +1,4 @@
+// https://github.com/microsoft/vscode-vsce/issues/1153
+function npm_i_save_dev_types_Slashjest_or_npm_i_(){}
+function npm_i_save_dev_types_Slash_1_if_it_exists(){}
+function Cannot_find_name_0_Do_you_need_to_install_type_definitions_for_jQuery_Try_npm_i_save_dev_types_Slashjquery_and_then_add_jquery_to_the_types_field_in_your_tsconfig(){}

src/test/fixtures/secrets/noSecret3Ignore

@@ -0,0 +1,3 @@
+**secret**
+**noSecret**
+!noSecret3.ts

src/test/fixtures/secrets/secret1Ignore

@@ -1,2 +1,3 @@
 **secret**
+**noSecret**
 !secret1.ts

src/test/fixtures/secrets/secret2.ts

@@ -0,0 +1 @@
+export const k = `npm_Ab3kZy0X9QpLmN4tUvW7aBcDeFgHiJkLmNoPqRsTu`

src/test/fixtures/secrets/secret2Ignore

@@ -0,0 +1,3 @@
+**secret**
+**noSecret**
+!secret2.ts

src/test/package.test.ts

@@ -165,6 +165,19 @@ async function processExitExpected(fn: () => Promise<any>, errorMessage: string)
 	}
 }
 
+async function processExitNotExpected(fn: () => Promise<any>, errorMessage: string): Promise<void> {
+	const originalExit = process.exit;
+	try {
+		process.exit = (() => {
+			throw new Error(errorMessage);
+		}) as any;
+
+		await fn();
+	} finally {
+		process.exit = originalExit;
+	}
+}
+
 describe('collect', function () {
 	this.timeout(60000);
 
@@ -386,42 +399,54 @@ describe('collect', function () {
 
 	it('should not package .env file', async function () {
 		const cwd = fixture('env');
-		await processExitExpected(() => pack({ cwd, packagePath: getVisxOutputPath() }), 'Expected package to throw: .env file should not be packaged');
+		await processExitExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath() }), 'Expected package to throw: .env file should not be packaged');
 	});
 
 	it('allow packaging .env file with --allow-package-env-file', async function () {
 		const cwd = fixture('env');
-		await pack({ cwd, allowPackageEnvFile: true, packagePath: getVisxOutputPath() });
+		await processExitNotExpected(async () => await pack({ cwd, allowPackageEnvFile: true, packagePath: getVisxOutputPath() }), 'Should not have exited');
 	});
 
 	it('should not package file which has a private key', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'secret1Ignore');
-		await processExitExpected(() => pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Expected package to throw: file which has a private key should not be packaged');
+		await processExitExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Expected package to throw: file which has a private key should not be packaged');
 	});
 
 	it('allow packaging file which has a private key with --allow-package-secrets', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'secret1Ignore');
-		await pack({ cwd, allowPackageSecrets: ['privatekey'], packagePath: getVisxOutputPath(), ignoreFile });
+		await processExitNotExpected(async () => await pack({ cwd, allowPackageSecrets: ['privatekey'], packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
 	});
 
 	it('allow packaging file which has a private key with --allow-package-all-secrets', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'secret1Ignore');
-		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
+		await processExitNotExpected(async () => await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
 	});
 
 	it('private key false positive 1', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'noSecret1Ignore');
-		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
+		await processExitNotExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
 	});
 
 	it('private key false positive 2', async function () {
 		const cwd = fixture('secrets');
 		const ignoreFile = path.join(cwd, 'noSecret2Ignore');
-		await pack({ cwd, allowPackageAllSecrets: true, packagePath: getVisxOutputPath(), ignoreFile });
+		await processExitNotExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
+	});
+
+	it('should not package npm token', async function () {
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'secret2Ignore');
+		await processExitExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Expected package to throw: should not package npm token');
+	});
+
+	it('npm token false positive 1', async function () {
+		const cwd = fixture('secrets');
+		const ignoreFile = path.join(cwd, 'noSecret3Ignore');
+		await processExitNotExpected(async () => await pack({ cwd, packagePath: getVisxOutputPath(), ignoreFile }), 'Should not have exited');
 	});
 });